(2017) Adversarial patch

Keyword [Adversarial Patch]

Brown T B, Mané D, Roy A, et al. Adversarial patch[J]. arXiv preprint arXiv:1712.09665, 2017.

1. Overview

In this paper, it proposed a methods to generate universal targeted adversarial patches

  • patches can be place anywhere
  • explore what is possible if an attacker no longer restricts to imperceptible changes

(the existing defense techniques which focus on defending against small perturbations may bot be robust to larger perturbations)

1.1. Algorithm

  • mask our patch to allow it to take any shape
  • train over a variety of images
  • apply a random translation, scaling, and rotation on the patch in each image

1.2. Experiments

  • Five models: InceptionV3, ResNet50, Xception, VGG16 and VGG19
  • white box attack (ensemble and single) and black box attack